Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[immi803]

Further to my earlier questions on the DNS firewall and VPN routing - see below - the DNS Firewall is now no longer working

Unbound works fine without it but if enable the Firewall then I get

[1596135750] unbound-checkconf[5209:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1154 cannot insert RR of type CNAME
[1596135750] unbound-checkconf[5209:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596135750] unbound-checkconf[5209:0] fatal error: Could not setup authority zones

***ERROR INVALID unbound configuration

I have tried hard and soft reboots (just in case), as well as option i = Update and unbound and configuration, without success - any suggestions on what I can try next?


Earlier Post
Can someone help with a couple of questions - I think I have configured unbound correctly, but am not entirely sure with respect to the DNS Firewall and sending unbound requests via VPN Client.

With regards to the DNS Firewall, I can see this is enabled but there have been no hits at all since it was installed some weeks ago. Is there some way / site I can check this?

In respect of sending requests via a VPN client, in the Q&A it says


Q. Why does a DNS Leak test show my ISP assigned IP Address?
A. You are now your own recursive DNS resolver! - what other IP could possibly be shown? .... However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.

I have most of my traffic going direct, but do have a VPN for a couple of devices. I have set unbound to use VPN 5, but in any leak test my DNS still shows as my local IP, not the VPN assigned IP - is this correct?

Same problem, nothing is working as it should like adblock etc, tried "unbound -dv" and here's the outcome

v  = View ('/opt/var/lib/unbound/'unbound.conf)

e  = Exit Script [?]

E:Option ==> 7

Do you want to enable DNS Firewall?

        Reply 'y' or press [Enter]  to skip
y
        unbound_rpz.sh downloaded successfully
Custom '/opt/share/unbound/configs/rpzsites' already exists - 'rpzsites' download skipped

Created startup hook in services-start.
Created cron job.
Creating new unbound.conf.firewall file.
(unbound_rpz.sh): 5185 Attempting to Download 1 of 1 from https://urlhaus.abuse.ch/downloads/rpz/.

#=#=#                                                                        ##O#-#                                                                                                                                                  0.################                                                          23.#############################################                             63.######################################################################## 100.0%
Adding zone rpz.urlhaus.abuse.ch to unbound.conf.firewall.
Installed.
Adding 'include: "/opt/share/unbound/configs/unbound.conf.firewall" to '/opt/var/lib/unbound/unbound.conf'

        unbound DNS Firewall ENABLED

[1596155942] unbound-checkconf[5272:0] error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1137 cannot insert RR of type CNAME
[1596155942] unbound-checkconf[5272:0] error: error parsing zonefile /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone for rpz.urlhaus.abuse.ch.
[1596155942] unbound-checkconf[5272:0] fatal error: Could not setup authority zones

***ERROR requested re(Start) of unbound ABORTed! - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✔] Entware NTP server is running
        [✔] Enable DNS Rebind protection=NO
        [✔] Enable DNSSEC support=NO

        Options:

        [✔] Ad and Tracker Blocking (No. of Adblock domains=58208,Blocked Hosts=0,Allowlist=19)
        [✔] unbound CPU/Memory Performance tweaks
        [✔] unbound-control FAST response ENABLED
        [✔] DNS Firewall ENABLED


              _
   ____ ____ | |_  ____                                                        / _  |    \|  _)|    \
 ( ( | | | | | |__| | | |                                                      \_||_|_|_|_|\___)_|_|_|
   Goodbye

thunder@RT-AC68U-4370:/tmp/home/root# unbound -dv                            [1596155973] unbound[6342:0] notice: Start of unbound 1.10.1.
Jul 31 00:39:34 unbound[6342:0] error: can't bind socket: Address already in use for 127.0.0.1 port 53535                                                 Jul 31 00:39:34 unbound[6342:0] fatal error: could not open ports
thunder@RT-AC68U-4370:/tmp/home/root#

 

[tomsk]

The format of the rpz file downloaded has changed... thats what's using the causing the config check to fail when the firewall is enabled.... every entry is interpreted as having a resource record of CNAME .. maybe @juched can take a look at this?

error: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone:1137 cannot insert RR of type CNAME

$TTL 30
@ SOA rpz.urlhaus.abuse.ch. hostmaster.urlhaus.abuse.ch. 2007310909 300 1800 604800 30
 NS localhost.
;
; abuse.ch URLhaus Response Policy Zones (RPZ)
; Last updated: 2020-07-31 09:09:04 (UTC)
;
; Terms Of Use: https://urlhaus.abuse.ch/api/
; For questions please contact urlhaus [at] abuse.ch
;
testentry.rpz.urlhaus.abuse.ch CNAME . ; Test entry for testing URLhaus RPZ
01.shgrasp.vip CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/01.shgrasp.vip/
0eed1ejih.com CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/0eed1ejih.com/
14cam.com CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/14cam.com/
1home.az CNAME . ; Malware download (2020-06-11), see https://urlhaus.abuse.ch/host/1home.az/
1iif89rvl.com CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/1iif89rvl.com/
2000kumdo.com CNAME . ; Malware download (2019-04-14), see https://urlhaus.abuse.ch/host/2000kumdo.com/
21robo.com CNAME . ; Malware download (2019-02-20), see https://urlhaus.abuse.ch/host/21robo.com/
224fgbet.com CNAME . ; Malware download (2020-07-20), see https://urlhaus.abuse.ch/host/224fgbet.com/

 

[juched]

I have narrowed it down to this entry:

sipesv.org. CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/sipesv.org./

Seems it doesn't like the fully qualified "." domain ending.

 

[Milan]

I have narrowed it down to this entry:

sipesv.org. CNAME . ; Malware download (2020-07-30), see https://urlhaus.abuse.ch/host/sipesv.org./

Seems it doesn't like the fully qualified "." domain ending.

thx for identifying, dot removed and now error message is gone.

 

[juched]

I pushed an update to remove any offending lines like that. Just need to uninstall and re-install DNS Firewall to get the new fix.

Note: this file downloads every 15 minutes, so if you manually remove it will come back

 

[Torson]

Could someone explain to me why cache.txt does not get restored at all after reboot, unbound restart etc. Here is an example:

15:17:49 Checking 'unbound.conf' for valid Syntax.....
15:17:50 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=3223/958 rrset.cache=8798/5351
15:17:50 Requesting unbound (S61unbound) restart.....
 Shutting down unbound...              done.
 Starting unbound...              done.
15:17:51 Checking status, please wait.....
15:17:54 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-07-31 15:17:50) msg.cache=0/958 rrset.cache=0/5351
15:17:54 unbound OK

 

[Milan]

I pushed an update to remove any offending lines like that. Just need to uninstall and re-install DNS Firewall to get the new fix.

Note: this file downloads every 15 minutes, so if you manually remove it will come back

seems working properly, thx

 

[Chris0815]

I pushed an update to remove any offending lines like that. Just need to uninstall and re-install DNS Firewall to get the new fix.

Thanks! Everything fine again!

 

[dave14305]

Could someone explain to me why cache.txt does not get restored at all after reboot, unbound restart etc. Here is an example:

15:17:49 Checking 'unbound.conf' for valid Syntax.....
15:17:50 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=3223/958 rrset.cache=8798/5351
15:17:50 Requesting unbound (S61unbound) restart.....
Shutting down unbound...              done.
Starting unbound...              done.
15:17:51 Checking status, please wait.....
15:17:54 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-07-31 15:17:50) msg.cache=0/958 rrset.cache=0/5351
15:17:54 unbound OK

I think the first number is the cache size before the reload (0), and the second number is the size of what was to be reloaded from the file. So it’s good.

 

[Martineau]

Could someone explain to me why cache.txt does not get restored at all after reboot, unbound restart etc. Here is an example:

15:17:49 Checking 'unbound.conf' for valid Syntax.....
15:17:50 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=3223/958 rrset.cache=8798/5351
15:17:50 Requesting unbound (S61unbound) restart.....
Shutting down unbound...              done.
Starting unbound...              done.
15:17:51 Checking status, please wait.....
15:17:54 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2020-07-31 15:17:50) msg.cache=0/958 rrset.cache=0/5351
15:17:54 unbound OK

The metrics show 'No. of cache hits'/'cached DNS entries'.

e.g. The saved cache.txt metric msg.cache=3223/958 means there are currently 958 cached entries with 3223 hits.

The restored msg.cache=0/958 means 958 valid cache entries are now restored with zero cache hits.

NOTE: Sometimes I have observed the number of restored cache entries can be 20% less than the reported saved entries - presumably the deleted/missing cache entries are deemed stale/expired entries by the unbound-control restore process.

 

[immi803]

@Martineau
I certainly need help , i always used to get my ip in dns leak test, but suddenly i get following result, getting Google servers 6/7 at times (servers from Zurich), see screenshot

I don't know what's going on with my dns as prior unbound always worked perfectly in past as well as ad blocker , now ad blocker is not working as well

 

[QuikSilver]

@Martineau
I certainly need help , i always used to get my ip in dns leak test, but suddenly i get following result, getting Google servers 6/7 at times (servers from Zurich), see screenshot

I don't know what's going on with my dns as prior unbound always worked perfectly in past as well as ad blocker , now ad blocker is not working as well
View attachment 25054

Unbound not running possibly? Need some more info....Show us some of the settings.....

 

[immi803]

@QuikSilver

 

[raion969]

is it good for performance to enable in unbound dns filter ? also if i enable youtube adblock does it interfere with diversion ?

 

[dave14305]

@QuikSilver
View attachment 25085View attachment 25086View attachment 25087View attachment 25088View attachment 25089

It sounds more like the Android device is set to use Private DNS (DoT), bypassing the router completely.

 

[pigcanswim]

I may need some help as well. This may sound stupid but I'm trying to use VPN+Unbound for DNS such that my DNS resolving will go through my VPN whereas my normal browsing will still be my actual WAN.

I get the feeling that it's impossible but would like to check if anyone had any luck getting it worked out as I'm now browsing with my VPN IP on whatsmyip.

Reason being I do not want to browse the net through my VPN as I'm not sure about my VPN network stability and IP bans from certain countries for my VPN IPs and I'm very sure that my ISP can surf pretty much everywhere.

I went to OVPN GUI on the router Force Internet traffic through tunnel = no and I did a dnsleak and whatsmyip and both show my VPN.

If I set to policy and have my computer set to WAN then both my DNS and whatsmyip will show my WAN.


Edit:
Also, when I try to bind to VPN it still shows as bind to WAN with my WAN IP. (I'm currently double NAT if that matters)

But all tests shows my VPN

Any help is truly appreciated.

 

[archiel]

I may need some help as well. This may sound stupid but I'm trying to use VPN+Unbound for DNS such that my DNS resolving will go through my VPN whereas my normal browsing will still be my actual WAN.

I get the feeling that it's impossible but would like to check if anyone had any luck getting it worked out as I'm now browsing with my VPN IP on whatsmyip.

Reason being I do not want to browse the net through my VPN as I'm not sure about my VPN network stability and IP bans from certain countries for my VPN IPs and I'm very sure that my ISP can surf pretty much everywhere.

I went to OVPN GUI on the router Force Internet traffic through tunnel = no and I did a dnsleak and whatsmyip and both show my VPN.

If I set to policy and have my computer set to WAN then both my DNS and whatsmyip will show my WAN.


Edit:
Also, when I try to bind to VPN it still shows as bind to WAN with my WAN IP. (I'm currently double NAT if that matters)

But all tests shows my VPN

Any help is truly appreciated.

I am also very new to this and quite confused on this setting. I just use my VPN for one device
VPN client 5
Accept DNS Configuration : Exclusive
Policy Rules: Strict

If check the connection (browserleaks, etc) I only see the VPN DNS server as expected.

Other than this all clients connect through the WAN interface, DNSFilter is set to Router and DNS lookup is router through the VPN
unbound_manager advanced, option 3 (advanced tools), vpn 5

I have also installed x3mrouting with option 3 and then

vpnclientn-route-pre-down (0755)
    #!/bin/sh
    /jffs/addons/unbound/unbound_manager.sh vpn=disable
vpnclientn-up (0755)
    #!/bin/sh
    /jffs/addons/unbound/unbound_manager.sh vpn=n delay=9 &

Where n is the number of the vpnclient

With unbound not bound to the vpn then if I use Browserleaks from any other device

I see my home IPs (ipv4 and ipv6) as DNS servers and both are shown as resolving addresses

With unbound bound to the vpn then only the IPv4 address is shown as a DNS server / resolver, though this still can resolve ipv6 addresses - this is what I would expect as both the OpenVPN server and clients on merlin currently only support ipv4.

What I do not understand is that the DNS server address shown is still my local WAN IP, but the notes on item 4 state
'However, if you use a VPN Client, then you may opt to force unbound to bind to the VPN tunnel, so all unbound's DNS requests will be via the tunnel, so now your VPN assigned IP will be shown in a DNS Leak test.'
For clarity the VPN assigned IP is NOT shown in the DNS Leak test, only the WAN IP

 

[pigcanswim]

I am also very new to this and quite confused on this setting. I just use my VPN for one device
VPN client 5
Accept DNS Configuration : Exclusive
Policy Rules: Strict

Actually after some testing, I managed to get it working. its very unstable. Sometimes it seems to work, others it doesn't. Now I'm not even sure if I'm doing it right. lol

Try changing your unbound.conf - outgoing-interface to your VPN IP. Get back to Unbound advanced settings, restart the service and check the config with "?" and see if its binding to your VPN. I had mine bind correctly.
It should say [✔] unbound requests via VPN Client (10.8.0.4) tunnel ENABLED
not [✔] unbound requests force BIND via WAN (192.168.1.114) 'eth0' ENABLED


Next in router GUI - VPN Client - I set Force Internet traffic through tunnel = no , Accept DNS Configuration = no

I now have leaktest showing my VPN and whatsmyip showing my WAN.

@Martineau Problems with unbound I've faced during the test, the VPN bind does not work correctly, it will always force bind to WAN the only way is to change the config directly and input the VPN IP. Even if I input the correct IP from my VPN, it does not update automatically once the VPN IP changes. Not sure if it's meant to be this way.

 

[immi803]

It sounds more like the Android device is set to use Private DNS (DoT), bypassing the router completely.

I rechecked my Android device & no such settings detected to use private dns


Edit : found discrepancy on my device side, huge thanks @dave14305 for pointing to right direction, rocks

 

[New2This]

This there a way I can more blocklist to the Ad and tracker blocking?